RECENT DECISIONS OF THE PERSONAL DATA PROTECTION AUTHORITY

16 April 2020

The Personal Data Protection Board (“Board”) published its recent decisions on their website, on 15.04.2020.

In this context, the facts and decisions are as follow;

  1. “The decision dated 06.02.2020, no 2020/86 regarding the complaint against the data controller who is a flight ticket seller.

In the case, the data controller refused the demand which the related person made in order to change its e-mail address in the membership information on the data controller’s website. Upon this rejection, the data subject lodged a complaint to the Board.

The data controller asserted that the application was not made in a way regulated by “the Communique on the Procedure and Principle on the Application to Data Controller”.

In this context, in light of examination of the Board, it is stated that there is no need to take action against the data controller who rejected the data subject’s demand because the application had not been made in compliance with the regulations. However, the Board said; the explanations the data controller made to the Board and to the data subject are conflicting each other. In this sense, the data controller was ordered to take necessary technical and administrative measures to effectively and legally complete applications of data subjects.

After then, the data subject made second complaint against the data controller on the ground that the data controller had not responded its request within 30 days.

As a result of the examination the Board made, it is stated that;

  • Data subjects have right to bring a complaint to the Board if they do not get any answer for their request. However, there is no sanction in the Law for data controller who only does not respond the request.  Therefore, the sanction is not issue in this case, to the flight ticket seller.
  • However, the flight ticket seller has been fined of 50.000 TL on the ground that it did not follow the order the Board issued for taking necessary measures.
  1. “The decision dated 06.02.2020, no 2020/103 regarding the application against a bank which opens an account by processing personal data f the related person in order to gain potential customer”

The related person wanted to open a bank account in a bank branch; however he/she learned that there is an already an account belonging to him/her in the other branch of the same bank. Therefore, he/she brought a complaint to the Board because his/her personal data was processed by the bank branch he/she never went. 

The bank stated that in order to gain customer, personal data of the related person was accessed via the list provided by a third party to them. The bank as a data controller asserted that the customer number was not activated unless the contract was signed.

In this context, the Board found that

  • Even though the customer number has been issued before the Law on Personal Data Protection was enacted, personal data of the related person has still been being stored by the bank without data subject’s consent;
  • Moreover, the personal data of related person was not erased, destructed or anonymised by the bank, pursuant to provisional article 1 stating that “the personal data that were processed before the publication date of this Law shall be rendered compatible with the provisions of this Law within two years as of its date of publication. The personal data which are found to be in breach of the provisions of this Law shall be immediately erased, destroyed or anonymized.

In this context, the bank has been fined of 210.000 TL on the ground that the bank did not take necessary administrative and technical measures in order to avoid unlawfully processing of personal data.

You can read summary of the decisions (in Turkish) here.

Should you have any queries and/or remarks, please do not hesitate to contact us. 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr